Bci NeBe conf 2017 thought provoking - challenging the maturity of bcm v2 - rudy muls sd

1. CHALLENGING THE
MATURITY OF BCM
Rudy Muls
MBCI, CISSP, CCSK

2. Presentation Summary
• The ability to be able to continue the critical business processes
during/after a major disruption is essential to an organisation. It is a
challenge to implement BCM but is generally more of a challenge to keep
BCM up to date and keep improving the capabilities to deal with new and
changing threats such as cyber that an organisation faces.
• At KBC Bank this was tackled by challenging the organizational entities to
demonstrate and improve their BCM maturity resulting in improved
resilience.
1. how this approach was sold to Top Management,
2. how it was developed and implemented with minimal impact on the
organisation.
3. also demonstrate the benefits and how various departments worked
together to establish and conduct this programme.
4. share the framework which can easily be adopted by other organisations.

3. Agenda
1. Once upon a day …. Oh, dear, … a challenge!
2. The Process
3. The Outcome
4. Applicability
5. Summary

4. Working Hard

5. The Result
Minimal
Impact

6. 1. Once upon a day …. Oh, dear, … a challenge!
1. All company processes to be challenged – one
approach
2. So called Group Key Controls
3. Starting with a relative simple process
4. Targets
Management
Support
Minimal
Impact

7. 2. The Process
1. Preparation phase
1. Core group discussions => scale
1. Magic words: identified, translated, executed, managed
2. More magic words: design (1) and operational (2)
effectiveness (3)
2. Asking for remarks, ideas, availability, cooperation
Together –
Core Group

8. BCI Lifecycle adopted 
Priorities, Threats, Top
management buy-in, …
Choices of
stragegies and
tactics
Welfare, personal
experience, availability, …
Exercises,
experience, …
Policies, follow-up, …

9. BCI Lifecycle adopted 
Framework

10. 2. The Process
2. Working phase
1. 2 days, 20+ involved BC managers, support from mgt
2. A control example => BIA
3. Another example => Testing
4. What is the Olympic Minimum for each control?
5. 1 questionnaire, changes in tool
Together –
Working
Group

11. Identified:
The Business Impact Analysis (BIA) must cover all business activities, including those (partially) outsourced.
What are the minimum quality criteria / components of a BIA: all business activities ?
1. Short description/Name of the activity
2. Department/unit where is activity executed
3. RTO of the activity (with the reason why)
Who performs BIA ?
Who challenges BIA's (For example challenged by BC Manager, approval by Business Continuity
Committee/Board) ?
Concern 1 participant: RTO of the activity (with the reason why) - It is not realistic. (To give real reason to all
RTO) The administration level will be increased only. We should make/keep categories e.g. financial reason,
SLA etc. (like decision tree)
Translated:
Is there a formal process for determining continuity objectives based on understanding the impact of
disruptive incidents ?
For each business activity, the purpose of a BIA is to:
• document the impacts over time that would result from loss or disruption;
• determine the minimum levels of service and activities' performance;
• determine the priorities for recovery (RTO);
Scenarios is not relevant at this level-> The cause of interruption is not important, what is important is to
know what is important for Business to start it as first (RTO definition of the activities)
Example Control BIA

12. Executed:
The business impact analysis (critical processes) been performed regularly:
1) each time a new business activity is developed (at set-up),
2) every time there is a fundamental change to a business activity,
3) In full, every year. ?
The 'up to date' BIA can be consulted by all involved parties.
Managed:
The results of the Business Impact Analysis exercise are challenged and approved by the responsible
bodies. (For example challenged by BC Manager, approval by Business Continuity Committee/Board).
The approval is included in the meeting minutes of the Business Continuity Committee or equivalent.
Not all BIA need to be completely presented to the committee/board but only the MAJOR changes
(Change of RTO 1 to 3 of new activities, new outsourcing,). Nevertheless the committee or board will be
send the whole BIA mail or SharePoint link (up to them to read it carefully of not) during the committee
only relevant changes are presented for validation.
Concern 1 participant: What does it mean challenge? E.g. how can we control that all business activities
are covered?
Example Control BIA

13. Identified:
Define Walk-through / table top exercise / infrastructure test requirements
Translated:
Walk-through: Initial review to assess the viability of the written content of any type of a continuity /
recovery plan to uncover design flaws and omissions as well as educate team members. This is done with
the plan author and key stakeholders.
Table top: Done in a conference room (as opposed to using recovery sites), a table top exercise brings
together continuity / recovery teams (e.g. business and IT) to discuss their roles and responsibilities and
how they would react to a crisis. The scope of a table top exercise can be either one plan involving one or
multiple teams or departments or multiple plans involving multiple teams and departments to identify
gaps in procedures, dependencies and expectations as well as to train and cross-train continuity or
recovery team members. The facilitator-led discussion is based on a predefined scenario that unfolds
over a period of time, sometimes with surprise changes injected into the discussion. The scenario should
not be known to the participants prior to the start of the exercise. External sources maybe engaged e.g.
police, utilities, key customers or service providers.
Another Example – Control Testing

14. Executed:
Fall back location testing
The following type of exercise are performed (not exhaustive list)
Walk-through:
• a review of a new or revised plan
• a review of a business unit or IT service recovery plan after an annual BIA
• a review of a plan when exercising is not feasible, e.g. time, resources, technical environment
• a new member of the continuity / recovery team is educated on the plan's structure, content or flow
Table top
• IT service(s) recovery plan(s) exercise
• crisis management team exercise e.g. power outage, pandemic, active shooter exercise w/ police, loss of building,
civil unrest, transportation incident, natural disaster, Information security incident
• line of business and/or its supporting administrative departments
Managed:
Reporting on tests exist (Lessons learned from test are mentioned, action plans are defined, Test all RTO1-
3 activities, communicate on the test results)
(Valid for all type of tests) Need to follow up action plans that were defined in the test reports.
Verify the test design and operational efficiency of the tests. "does the test really tested what we
intended to ?
The results of the Business Continuity Plan test are reported to all stakeholders and approved. The results
are analyzed and compared with the stated objectives, and actions are taken to bridge any gaps.
This control falls more under the general idea of testing and reporting
Another Example – Control Testing

15. 3. The Outcome
1. A compromise
1. For each control, requirements were set
2. Olympic Minimum was set
3. Lot of experience was shared
4. And we had a good time in Prague
2. Challenges
1. Based on the questionnaire
2. Local entities challenge planning interviews
Together –
Working
Group

16. 4. Applicability – my thoughts
1. How to avoid another ticking the box?
1. Experienced people
1. Having a broad view company (entity) wide,
2. Interview and ‘audit’ skills
2. Periodic (yearly) reviews !!!
3. Local management involved
2. Missing
1. Even more emphasis on BIA!
2. Take time to talk, let people tell their story
3. Simplicity
4. What do the BCI Guidelines tell us?
Minimal
Impact

17. 4. Applicability – my thoughts
3. Balance
1. At least there is one updated and streamlined version after
many years, great!
2. Still … dare to dig deeper and embrace more other domains like
Information Security, Risk, …
3. Why not fully use, implement buzz words as Sustainability,
Resilience, Privacy, … and use them as (part of) the ultimate
underlying BC framework?
4. Sharing
1. Needs: a scale (see before), a series of controls, questions per
control, the BC basics, experienced people
2. Excel, Word, … will do => history to be kept
Framework
Sharing
- tools

18. Framework Overview – “Model”:
- Questionnaire – Scale – Effective (important!)
See Examples BIA and Testing
- Sorted via BCI Lifecycle phases (Guidelines, easy)
- Challenge via Interviews (Experience)
- Word and Excel, Results per Indicator in overall Risk Tool

19. Presentation Summary - Evaluation
• The ability to be able to continue the critical business processes
during/after a major disruption is essential to an organisation. It is a
challenge to implement BCM but is generally more of a challenge to keep
BCM up to date and keep improving the capabilities to deal with new and
changing threats such as cyber that an organisation faces.
• At KBC Bank this was tackled by challenging the organizational entities to
demonstrate and improve their BCM maturity resulting in improved
resilience.
1. how this approach was sold to Top Management,
2. how it was developed and implemented with minimal impact on the
organisation.
3. also demonstrate the benefits and how various departments worked
together to establish and conduct this programme.
4. share the framework which can easily be adopted by other organisations.

20. THANK YOU
• One approach – great!
• Still room for improvement
• Seasoned people
Be Resilient – Advice on
Information Security &
Business Continuity
Rudy Muls
MBCI, CISSP
0032 473/24.75.15
rudy.muls@b-risc.info

21. This presentation was delivered at a
BCI event
To find out more about upcoming
events please visit our website